These files are generally uploaded through old CMS software and/or out-dated CMS plugins. On the domain you found the file on, make sure you update all software (i.e. wordpress, joomla), themes, components, and plugins. Also change the administrator password for the CMS.

You can do all sorts of things to secure your server, but if your customer installs a vulnerable CMS plugin, there is very little you can do to stop it from being hacked, aside from a very good ModSecurity rule set.